-
-
Notifications
You must be signed in to change notification settings - Fork 367
/
flow_explicit_auth.go
73 lines (56 loc) · 2.54 KB
/
flow_explicit_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
// Copyright © 2024 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package openid
import (
"context"
"github.com/ory/x/errorsx"
"github.com/ory/fosite"
)
type OpenIDConnectExplicitHandler struct {
// OpenIDConnectRequestStorage is the storage for open id connect sessions.
OpenIDConnectRequestStorage OpenIDConnectRequestStorage
OpenIDConnectRequestValidator *OpenIDConnectRequestValidator
Config interface {
fosite.IDTokenLifespanProvider
}
*IDTokenHandleHelper
}
var _ fosite.AuthorizeEndpointHandler = (*OpenIDConnectExplicitHandler)(nil)
var _ fosite.TokenEndpointHandler = (*OpenIDConnectExplicitHandler)(nil)
var oidcParameters = []string{"grant_type",
"max_age",
"prompt",
"acr_values",
"id_token_hint",
"nonce",
}
func (c *OpenIDConnectExplicitHandler) HandleAuthorizeEndpointRequest(ctx context.Context, ar fosite.AuthorizeRequester, resp fosite.AuthorizeResponder) error {
if !(ar.GetGrantedScopes().Has("openid") && ar.GetResponseTypes().ExactOne("code")) {
return nil
}
//if !ar.GetClient().GetResponseTypes().Has("id_token", "code") {
// return errorsx.WithStack(fosite.ErrInvalidRequest.WithDebug("The client is not allowed to use response type id_token and code"))
//}
if len(resp.GetCode()) == 0 {
return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("The authorization code has not been issued yet, indicating a broken code configuration."))
}
// This ensures that the 'redirect_uri' parameter is present for OpenID Connect 1.0 authorization requests as per:
//
// Authorization Code Flow - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
// Implicit Flow - https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
// Hybrid Flow - https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
//
// Note: as per the Hybrid Flow documentation the Hybrid Flow has the same requirements as the Authorization Code Flow.
rawRedirectURI := ar.GetRequestForm().Get("redirect_uri")
if len(rawRedirectURI) == 0 {
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("The 'redirect_uri' parameter is required when using OpenID Connect 1.0."))
}
if err := c.OpenIDConnectRequestValidator.ValidatePrompt(ctx, ar); err != nil {
return err
}
if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, resp.GetCode(), ar.Sanitize(oidcParameters)); err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}
// there is no need to check for https, because it has already been checked by core.explicit
return nil
}